Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2774
Views
0
Helpful
1
Replies

CBAC vs. reflexive access-lists

Go to solution
b.carbery
Level 1
Level 1

‎03-20-2004 07:06 PM - edited ‎03-09-2019 06:49 AM

It seems to me these features serve similar functions. Does CBAC essentially supercede reflexive access-lists due to the ability to recongnise application traffic such as FTP which RACL's cannot? Can the two coexist to allow RACLs to match applications the CBAC does not yet support?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-21-2004 05:11 PM

Reflexive ACL's are very basic, they just look at outgoing traffic and allow the inverse to come back in. They don't know anything about particular protocols and don't look any further than the src/dest addresses and ports in the outgoing packet.

CBAC, on the other hand, turns your router into a true stateful firewall similar to the PIX. With CBAC incoming packets are allowed back in based on previous outgoing packets (similar to reflexive ACL's), but the incoming packets have to be part of an existing session. For example, CBAC checks the ACK/SEQ numbers in an incoming TCP packet to check that it's part of a known TCP session. If not, the packet is dropped. Additionally, CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL's won't do this.

You can't use both at the same time. If there's a particular protocol that CBAC doesn't support, then CBAC will still open up a hole to allow the returning traffic as long as you have UDP and TCP inspection turned on. Additionally it still makes sure that the packets are part of an existing session. This is still more than reflexive ACL's will do for you, so if you can run CBAC then forget about reflexive ACL's.

View solution in original post

0 Helpful
1 Reply 1

Go to solution
gfullage
Cisco Employee
Cisco Employee

‎03-21-2004 05:11 PM

Reflexive ACL's are very basic, they just look at outgoing traffic and allow the inverse to come back in. They don't know anything about particular protocols and don't look any further than the src/dest addresses and ports in the outgoing packet.

CBAC, on the other hand, turns your router into a true stateful firewall similar to the PIX. With CBAC incoming packets are allowed back in based on previous outgoing packets (similar to reflexive ACL's), but the incoming packets have to be part of an existing session. For example, CBAC checks the ACK/SEQ numbers in an incoming TCP packet to check that it's part of a known TCP session. If not, the packet is dropped. Additionally, CBAC is protocol-specific and will open up additional holes to allow certain types of traffic back in (for the FTP data channel, for example). Reflexive ACL's won't do this.

You can't use both at the same time. If there's a particular protocol that CBAC doesn't support, then CBAC will still open up a hole to allow the returning traffic as long as you have UDP and TCP inspection turned on. Additionally it still makes sure that the packets are part of an existing session. This is still more than reflexive ACL's will do for you, so if you can run CBAC then forget about reflexive ACL's.

0 Helpful
Customers Also Viewed These Support Documents